LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   Internal Network Server unable to access public Internet (http://www.linuxquestions.org/questions/linux-server-73/internal-network-server-unable-to-access-public-internet-809461/)

johndubchak 05-22-2010 07:33 AM

Internal Network Server unable to access public Internet
 
Hi,

I have set up a network where a single CentOS server acts as a firewall/gateway to a number of internal servers. The firewall is able to access and ping the internet, however, none of the internal servers can.

I am trying to isolate the issue by focusing on a single server. The relevant details are:

FIREWALL Computer:

Code:

# ifconfig

eth0      Link encap:Ethernet  HWaddr 00:25:90:00:BD:32 
          inet addr:XX.XX.XX.54  Bcast:XX.XX.XX.55  Mask:255.255.255.252
          inet6 addr: fe80::225:90ff:fe00:bd32/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:584 errors:0 dropped:0 overruns:0 frame:0
          TX packets:579 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:10
          RX bytes:43510 (42.4 KiB)  TX bytes:48712 (47.5 KiB)
          Memory:fb5e0000-fb600000

eth1      Link encap:Ethernet  HWaddr 00:25:90:00:BD:33 
          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::225:90ff:fe00:bd33/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:236 errors:0 dropped:0 overruns:0 frame:0
          TX packets:247 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:22423 (21.8 KiB)  TX bytes:30056 (29.3 KiB)
          Memory:fb6e0000-fb700000

lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:8 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:560 (560.0 b)  TX bytes:560 (560.0 b)

# route -n

Kernel IP routing table
Destination    Gateway        Genmask        Flags Metric Ref    Use Iface
XX.XX.XX.52    0.0.0.0        255.255.255.252 U    0      0        0 eth0
192.168.0.0    0.0.0.0        255.255.255.0  U    0      0        0 eth1
169.254.0.0    0.0.0.0        255.255.0.0    U    0      0        0 eth1
0.0.0.0        XX.XX.XX.53    0.0.0.0        UG    0      0        0 eth0

# cat /etc/resolv.conf

search example.com
nameserver 205.171.3.65
nameserver 205.171.2.65

# iptables -L

Chain INPUT (policy ACCEPT)
target    prot opt source              destination       
RH-Firewall-1-INPUT  all  --  anywhere            anywhere           

Chain FORWARD (policy ACCEPT)
target    prot opt source              destination       
RH-Firewall-1-INPUT  all  --  anywhere            anywhere           

Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination       

Chain RH-Firewall-1-INPUT (2 references)
target    prot opt source              destination       
ACCEPT    all  --  anywhere            anywhere           
ACCEPT    all  --  anywhere            anywhere           
ACCEPT    icmp --  anywhere            anywhere            icmp any
ACCEPT    esp  --  anywhere            anywhere           
ACCEPT    ah  --  anywhere            anywhere           
ACCEPT    udp  --  anywhere            224.0.0.251        udp dpt:mdns
ACCEPT    udp  --  anywhere            anywhere            udp dpt:ipp
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:ipp
ACCEPT    all  --  anywhere            anywhere            state RELATED,ESTABLISHED
ACCEPT    tcp  --  anywhere            anywhere            state NEW tcp dpt:6772
REJECT    all  --  anywhere            anywhere            reject-with icmp-host-prohibited

What is odd about the default route is that it is pointing to XX.XX.XX.53 rather than eth0 XX.XX.XX.54 as I would expect. I changed it to the .54 value, but seems to have been reset upon reboot. Also, I have configured static IP addresses for the internal, private, network.

INTERNAL Server:

Code:

# ifconfig

eth0      Link encap:Ethernet  HWaddr 00:25:90:00:BF:A2 
          inet addr:192.168.0.10  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:30506 errors:0 dropped:0 overruns:0 frame:0
          TX packets:34194 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:3386549 (3.2 MiB)  TX bytes:2890470 (2.7 MiB)
          Memory:fb5e0000-fb600000

lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:8 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:560 (560.0 b)  TX bytes:560 (560.0 b)

# cat /etc/resolv.conf

search example.com
nameserver 205.171.3.65
nameserver 205.171.2.65

# iptables -L
Chain INPUT (policy ACCEPT)
target    prot opt source              destination       

Chain FORWARD (policy ACCEPT)
target    prot opt source              destination       

Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination 

# ping google.com
ping: unknown host google.com

I have disabled SELinux on this server.

This is driving me crazy and I've spent far too much time using Google trying to track the issue down. Any insight is appreciated.

Thanks,
John

Blue_Ice 05-22-2010 09:50 AM

xxx.xxx.xxx.53 is probably your isp's gateway. Can you also run 'route -n' on your internal server?

Cotun 05-22-2010 09:52 AM

I'm pretty sure you've already done this and forgive me if this is totally obvious :) but have you checked that the gateway value on the internal machines is correctly set? As far as I can see, you didn't provide that information in your post.

johndubchak 05-22-2010 10:21 AM

Quote:

Originally Posted by Blue_Ice (Post 3977608)
xxx.xxx.xxx.53 is probably your isp's gateway. Can you also run 'route -n' on your internal server?

Hi Blue Ice,

Thanks for the response. Here is the route -n on the internal machine:

Code:

# route -n

Kernel IP routing table
Destination    Gateway        Genmask        Flags Metric Ref    Use Iface
192.168.0.0    0.0.0.0        255.255.255.0  U    0      0        0 eth0
169.254.0.0    0.0.0.0        255.255.0.0    U    0      0        0 eth0
0.0.0.0        192.168.0.1    0.0.0.0        UG    0      0        0 eth0

Thanks,
John

johndubchak 05-22-2010 10:24 AM

Quote:

Originally Posted by Cotun (Post 3977613)
...have you checked that the gateway value on the internal machines is correctly set?

Hi Cotun,

Do you mean the network settings on the internal server? If so, here is the configuration from eth0:

Code:

# cat /etc/sysconfig/network-scripts/ifcfg-eth0
# Intel Corporation 82574L Gigabit Network Connection
DEVICE=eth0
BOOTPROTO=static
IPADDR=192.168.0.10
NETMASK=255.255.255.0
NETWORK=192.168.0.0
GATEWAY=192.168.0.1
HWADDR=00:25:90:00:bf:a2
ONBOOT=yes

As far as I can tell, with both the previous "route -n" post and this one, I *think* I have everything correct.

John

Blue_Ice 05-22-2010 10:51 AM

Can you post the contents of the file /etc/sysconfig/iptables.save after running 'service iptables save'. I suspect there is something wrong with your forwarding in iptables. The routing table on your internal server looks okay.

johndubchak 05-22-2010 01:52 PM

Quote:

Originally Posted by Blue_Ice (Post 3977677)
Can you post the contents of the file /etc/sysconfig/iptables.save after running 'service iptables save'.

Internal Server:

Code:

# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Sat May 22 06:48:12 2010
*filter
:INPUT ACCEPT [520:48649]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [501:42512]
COMMIT
# Completed on Sat May 22 06:48:12 2010

External Facing Server:

Code:

cat /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Sat May 22 06:50:57 2010
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [19645:1914032]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 6772 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Sat May 22 06:50:57 2010


Blue_Ice 05-22-2010 02:48 PM

There is no NAT present.
In my iptables config I have something like this at the bottom:
Code:

...
*nat
:PREROUTING ACCEPT [8305:780307]
:POSTROUTING ACCEPT [15:1036]
:OUTPUT ACCEPT [458:29442]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT


michaelk 05-22-2010 04:32 PM

If you can ping 74.125.45.103 (google.com) successfully then it is just of matter of updating your servers /etc/resolv.conf file with your ISP DNS IPs. You also need to configure ip forwarding and add the iptables rules for NAT as already posted.

johndubchak 05-22-2010 05:46 PM

Quote:

Originally Posted by michaelk (Post 3977908)
If you can ping 74.125.45.103 (google.com) successfully then it is just of matter of updating your servers /etc/resolv.conf file with your ISP DNS IPs.

Agreed. Although, unfortunately, I've tried that. Here are my attempts from the internal server:

Code:

# ping 74.125.45.103
PING 74.125.45.103 (74.125.45.103) 56(84) bytes of data.

--- 74.125.45.103 ping statistics ---
62 packets transmitted, 0 received, 100% packet loss, time 61000ms

# ping google.com
ping: unknown host google.com

Thanks for the response.

John

michaelk 05-22-2010 06:02 PM

Did you enable IP forwarding?
To enable IP forwarding edit your /etc/sysctl.conf and change the following line from a 0 to a 1. This will not become effective until you reboot.
net.ipv4.ip_forward = 0

To enable it on the fly
echo 1 > /proc/sys/net/ipv4/ip_forward

johndubchak 05-22-2010 06:09 PM

Quote:

Originally Posted by Blue_Ice (Post 3977839)
There is no NAT present.
In my iptables config I have something like this at the bottom:
Code:

...
*nat
:PREROUTING ACCEPT [8305:780307]
:POSTROUTING ACCEPT [15:1036]
:OUTPUT ACCEPT [458:29442]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT


Hi BlueIce,

I have this as part of my iptables config:

Code:

# masquerade from internal network
/sbin/iptables -t nat -A POSTROUTING -s ${lannet} -o ${IFext} -j MASQUERADE

I'm not sure why it doesn't show up in the listings I provided earlier. I didn't have it on the internal server, but didn't think I needed to since the routing rules should take care of forwarding any public internet traffic out through the Gateway.

Thanks,
John

Cotun 05-23-2010 10:05 AM

Quote:

Do you mean the network settings on the internal server? If so, here is the configuration from eth0:

As far as I can tell, with both the previous "route -n" post and this one, I *think* I have everything correct.
Yes, that looks fine.

Unfortunately, we are moving beyond my realm of expertise now into manual Iptable firewalls (I use a configuration tool for this). But it seems to me that there are only two possibilities. 1) That the firewall is blocking traffic to/from the internal server or 2) That the traffic isn't being routed at all for some reason.

Can I assume that the internal server can actually connect to the firewall? Just to rule out a bizarre network problem :)

Thanks

Blue_Ice 05-23-2010 10:07 AM

Quote:

Originally Posted by johndubchak (Post 3977957)
I'm not sure why it doesn't show up in the listings I provided earlier. I didn't have it on the internal server, but didn't think I needed to since the routing rules should take care of forwarding any public internet traffic out through the Gateway.

You need it, as your internal network has private ipaddresses. You need to translate the addresses. You can add the rules yourself in /etc/sysconfig/iptables and restart iptables. These rules are not needed on your internal server. What is important is the ipforwarding setting in sysctl.conf as mentioned in the other posts.

johndubchak 05-23-2010 02:04 PM

Blue Ice,

Here is the output from executing iptables save, specifically the filters section, from the Gateway/external server:

Code:

*filter
:INPUT DROP [16:3486]
:FORWARD DROP [22:1719]
:OUTPUT DROP [0:0]
:DUMP - [0:0]
:SSH - [0:0]
:STATEFUL - [0:0]
:SYN-FLOOD - [0:0]
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j SYN-FLOOD
-A INPUT -i eth0 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -i eth0 -f -j LOG --log-prefix "IPT FRAGMENTS: "
-A INPUT -i eth0 -f -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j SYN-FLOOD
-A INPUT -i eth0 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -i eth0 -f -j LOG --log-prefix "IPT FRAGMENTS: "
-A INPUT -i eth0 -f -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 67 --dport 68 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -s 0.0.0.0/255.0.0.0 -i eth0 -j DUMP
-A INPUT -s 240.0.0.0/255.0.0.0 -i eth0 -j DUMP
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j SSH
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 113 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 113 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 123 --dport 123 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 123 --dport 123 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 1024:65535 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 33434:65535 -j ACCEPT
-A INPUT -j STATEFUL
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -j STATEFUL
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -s 192.168.0.0 -j ACCEPT
-A OUTPUT -j STATEFUL
-A DUMP -p icmp -m limit --limit 1/min -j LOG --log-prefix "IPT ICMPDUMP: "
-A DUMP -p tcp -m limit --limit 1/min -j LOG --log-prefix "IPT TCPDUMP: "
-A DUMP -p udp -m limit --limit 1/min -j LOG --log-prefix "IPT UDPDUMP: "
-A DUMP -p tcp -j REJECT --reject-with tcp-reset
-A SSH -i ! eth0 -j RETURN
-A SSH -m recent --set --name SSH --rsource
-A SSH -m recent ! --rcheck --seconds 60 --hitcount 3 --name SSH --rsource -j RETURN
-A SSH -j DUMP
-A STATEFUL -m state --state RELATED,ESTABLISHED -j ACCEPT
-A STATEFUL -i ! eth0 -m state --state NEW -j ACCEPT
-A STATEFUL -j DUMP
-A SYN-FLOOD -m limit --limit 1/sec --limit-burst 4 -j RETURN
-A SYN-FLOOD -j DROP
COMMIT

I may be wrong, but is it possible that I don't have a rule that allows anything to be accepted that originates as incoming on the private network through eth1?

Thanks,
John


All times are GMT -5. The time now is 11:10 AM.